To get to the bottom of the issue, ITworld reached out to security experts in the area of supply chain management to get their thoughts on how organizations can begin to understand supply chain security risk, and take steps to address it.
An old problem revisited
Supply chain security isn't a new problem. In fact, sabotage directed at supply lines is as old as warfare itself. As long ago as the Middle Ages, adversaries locked in warfare would look for ways to compromise the munitions that might be used against them - lessening casualties and also instilling fear and uncertainty in their enemy. And the practice is still in use today - with reports out of war-torn Syria that forces loyalty to the government there have been distributing batches of balky ammo to opposition fighters.
With technology, however, sabotage, tampering and other impurities can lurk deep within hardware, firmware or software applications, making it difficult to detect. In one of the most celebrated acts of supply chain tampering, the U.S. Central Intelligence Agency is alleged to have conspired with a Canadian company that made industrial control software to plant a Trojan horse in applications that were known to be the target of Soviet espionage. After the KGB stole the software for use on the USSR's Trans Siberian Pipeline, the faulty software caused a pipeline explosion believed to be the equivalent of three kilotons of TNT.
That may have been a victory for the West in the waning, pre-Internet years of the Cold War, but recent events hit closer to home. In 2009, the Stuxnet worm was loosed on Iran's nuclear enrichment facility at Natanz. The malware - widely believed to have been a creation of the U.S. and its allies - nonetheless proved that it was possible to combine more traditional viruses and worms with specialized attacks on SCADA and ICS products to cripple critical infrastructure. Stuxnet's code - like the doomed pipeline software stolen by the Soviets - manipulated programmable logic controllers (PLCs) that ran Iran's uranium centrifuges, instructing them to spin to destruction, all the while reporting normal operation back to Iranian scientists. Although Siemens, the German firm that made the PLCs used at Natanz, has always denied cooperating with the U.S. and its allies on Stuxnet, the Iranian government believes the company played a role in the attack, as do other informed observers.